fix: use 403 for authorization errors

server/src/routes/v1/apps/handlers/createApp.js

@@ -39,7 +39,7 @@ module.exports = {
     },
     handler: async (request, h) => {
         if (!canCreateApp(request, h)) {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
         const { notificationService } = request.services(true)
 
@@ -75,7 +75,7 @@ module.exports = {
             db
         )
         if (!isMember && !isManager) {
-            throw Boom.unauthorized(
+            throw Boom.forbidden(
                 `You don't have permission to upload apps to that organisation`
             )
         }
@@ -106,7 +106,7 @@ module.exports = {
 
                 isCoreApp = manifest.core_app
                 if (isCoreApp && !isManager) {
-                    throw Boom.unauthorized(
+                    throw Boom.forbidden(
                         `You don't have permission to upload core apps`
                     )
                 }

server/src/routes/v1/apps/handlers/createAppVersion.js

@@ -73,7 +73,7 @@ module.exports = {
             isManager || userApps.map(app => app.app_id).indexOf(appId) !== -1
 
         if (!userCanEditApp) {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         const versionPayload = request.payload.version

server/src/routes/v1/apps/handlers/deleteApp.js

@@ -29,7 +29,7 @@ module.exports = {
         debug(`deleteApp : ${request.params.appId}`)
 
         if (!canDeleteApp(request, h)) {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
         //todo: validate
 

server/src/routes/v1/apps/handlers/deleteAppVersion.js

@@ -59,7 +59,7 @@ module.exports = {
                 throw Boom.internal(err)
             }
         } else {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         //What the old v1 api responds with on this endpoint if all works out

server/src/routes/v1/apps/handlers/deleteImage.js

@@ -61,7 +61,7 @@ module.exports = {
                 throw Boom.internal(err)
             }
         } else {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         //What the old v1 api responds with on this endpoint if all works out

server/src/routes/v1/apps/handlers/editApp.js

@@ -84,7 +84,7 @@ module.exports = {
                 throw Boom.internal(err)
             }
         } else {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         //What the old v1 api responds with on this endpoint if all works out

server/src/routes/v1/apps/handlers/editAppVersion.js

@@ -88,6 +88,6 @@ module.exports = {
             }
         }
 
-        throw Boom.unauthorized()
+        throw Boom.forbidden()
     },
 }

server/src/routes/v1/apps/handlers/editImage.js

@@ -81,7 +81,7 @@ module.exports = {
                 throw Boom.internal(err)
             }
         } else {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         //What the old v1 api responds with on this endpoint if all works out

server/src/routes/v1/apps/handlers/getAllApps.js

@@ -26,7 +26,7 @@ module.exports = {
     },
     handler: async (request, h) => {
         if (!canSeeAllApps(request, h)) {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         try {

server/src/routes/v1/apps/handlers/setApprovalStatus.js

@@ -23,7 +23,7 @@ module.exports = {
         //request.logger.info('In handler %s', request.path)
 
         if (!canChangeAppStatus(request, h)) {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         const { status } = request.query

server/src/routes/v1/apps/handlers/uploadImageToApp.js

@@ -55,7 +55,7 @@ module.exports = {
         if (!canUploadMedia) {
             return h
                 .response({ message: `You don't have access to edit that app` })
-                .code(401)
+                .code(403)
         }
 
         const imageFile = request.payload.file

server/src/routes/v2/apps.js

@@ -104,7 +104,7 @@ module.exports = [
         },
         handler: async (request, h) => {
             if (!canCreateApp(request, h)) {
-                throw Boom.unauthorized()
+                throw Boom.forbidden()
             }
 
             const { db } = h.context
@@ -139,7 +139,7 @@ module.exports = [
                 db
             )
             if (!isMember && !isManager) {
-                throw Boom.unauthorized(
+                throw Boom.forbidden(
                     `You don't have permission to upload apps to that organisation`
                 )
             }

server/src/routes/v2/channels.js

@@ -35,7 +35,7 @@ module.exports = [
             request.logger.info('In handler %s', request.path)
 
             if (!currentUserIsManager(request)) {
-                throw Boom.unauthorized()
+                throw Boom.forbidden()
             }
 
             const { name } = request.payload
@@ -79,7 +79,7 @@ module.exports = [
             console.log(request.auth)
 
             if (!currentUserIsManager(request)) {
-                throw Boom.unauthorized()
+                throw Boom.forbidden()
             }
 
             const { name } = request.payload
@@ -146,7 +146,7 @@ module.exports = [
 
             if (!currentUserIsManager(request)) {
                 debug('unauthorized')
-                throw Boom.unauthorized()
+                throw Boom.forbidden()
             }
 
             const { uuid } = request.params